Thursday, May 19, 2011

Here are two good examples of floating SOCKS proxies, taken from the latest database run.

The highlighted address was listening on two ports at the same time, but had also been seen on no less than six other ports during the same run. The non-highlighted address was also listening on two distinct ports. Those ports will eventually close and both addresses will reappear sooner or later on different ports.

This is more annoying than it is useful.

So what the hell is going on here? I haven't done my homework yet, but I still have a gut feeling these are TOR nodes. Of course, at one time I had a gut feeling all those Chinese proxies were malware, but we all saw how that turned out.

There are about 9,000 of these multi-port SOCKS4 proxies that have showed up since I started doing SOCKS back in March. So many that I'm going to start flagging them on the list this weekend.

UPDATE 05/20/2011

I was somewhat surprised to see the number of plain old CERN proxies that were also running on floating ports, but they're still far outnumbered by the SOCKS floaters.

Since these SOCKS4 floaters seem to be as ephemeral as Chinese proxies, and therefore more trouble than they're worth, I am considering re-checking them between list publishing runs to keep their numbers down. It doesn't help anyone to list them if they've moved on to another port.

I figured this was right up my alley, so I compared the 23,000 addresses with the 3.7 million proxies in the database and got 104 hits (a whopping 0.45%).

149 if you count repeat offenders (the same IP address listening on different ports).

There is a smattering of obvious malware ports, mostly the ports Koobface has loved so much over the past two years (8085 and 9090), and our mystery port 27977. There are a few traditional CERN type proxy ports (8080, 8000, etc), but the rest of them are all across the board, just like the SOCKS recidivists I mentioned on Proxy Obsession just before it went dark.

I have to confess complete, utter stupidity on the inner workings of TOR, but I did some quick armchair research and it appears the likelihood is high that they are. Or, at least, many may be. TOR does indeed leverage SOCKS functionality, and, being part of the network, you'd have to leave the ports open, just waiting to be scanned by an army of proxy hunters.

Monday, May 09, 2011

Well, this hosting provider appears to be a loser. This time around, I'm not mentioning names, but it shouldn't be too hard to figure out who they are.

Their ftp server seems to be out in the weeds. The List is supposed to be updated every hour... as long as there's an ftp server on the other end. Right now, it's been almost three hours since the List was updated.

I send a SYN for the three-way TCP handshake and nothing comes back. They assure me there is no issue on their end. Then, if you do some troubleshooting on your end, like scanning port 21 to see if it's open, they block your IP. I'm not kidding.

In fact, I've taken to viewing my own List over one of the many fine Glype proxies out there (NoScript and Ad Block enabled) just to keep my connection count down with their servers.

This does solve the problem of list scrapers, which I never really considered a problem. If you snarf the whole list down with a wget script, you'll exceed their limits and they'll block your IP.

Jesus.

So right now Wireshark's been running, collecting data on every update run.

It doesn't look good.

To be fair(-ish), these folks have had serious DDoS issues in the past, so they're in paranoid overkill mode on the security side. But the result is they're DoS'ing their own customers. Very strange business model.

I have some options, but I expect the same results. I didn't mess with them over the weekend because, for one, they kept blocking my IP, and two, I was preoccupied with rebuilding my system, which died right after I started bringing the site back (moving XP to another physical box—without reinstalling—is always fun).

Anyway, I can live with the failed updates for a few weeks while I look for another provider. The collection process runs as it always has, so I have the data, even if you don't.

Saturday, May 07, 2011

It seems that the Universe is conspiring against me, trying everything in its power to prevent the resurrection of the List.

But it's back now, and the Cameroonian puppy scammers are whacking it like there's no tomorrow. They way things are going, they might be right.

Last night, after I tweeted the announcement of the List's imminent rebirth, my system died. That makes three so far this year. I don't even have a box to play UT on anymore, which sucks out loud.

Then, the past came back to haunt me. When I first set the account up with GoneDaddy back in '05, I wanted to go with Linux and I had selected Linux as the platform, but I hit the back button to check something and reset the choice to Windows. HUGE mistake, but I decided to live with it.

BAD decision.

The problem? Windows is case insensitive. Linux is not. Since I hacked most of my graphics together with mspaint, they all had UPPER CASE extensions.

I ran across this issue last year when I was hacking around with Nginx as a front end for Windows IIS servers. It's like oil and water. They just don't mix. In fact the only sure fire way to beat the issue is to compile a case insensitive version of Linux, which breaks everything.

And of course, all the graphics files were backed up to the computer that died.

To top that issue off, I had used FileZilla to download the old site and in its infinite wisdom, it converted all those mixed case graphics to lower case. If it had just left well enough alone, 90% of the graphics issues would have gone away.

But now all that's fixed and the List is up in all its former glory (minus the objectionable content that killed it--can you guess what that was?). The Proxy Obsession links are all broken, of course, but I expect to fix that soon.

Friday, May 06, 2011

I just put mrhinkydink.com back online and the place is getting hammered. The list isn't there yet, but apparently there are a zillion or so page scraping bots hammering the place.

Gosh folks, I'm speechless.

You guys with the proxy mining bots should really think about putting a fake referrer in your headers. Talk about rubbing it in. And get rid of the Wget User-Agent! Most proxy lists will slam you with a 403 when they see that shit. Get a clue!

What a bunch of newbs.

It sure is nice having a host provider with decent Web stats. And cheaper than that rat bastard GoDaddy (now GoneDaddy).

No, I have to take back all the bad things I ever said about GD. They were very gracious during the Trouble Time, offering to help me work through the issues (wasn't going to happen) and even waived all the fees.

And they never sent a customer satisfaction survey when it was All Over. I would've rated them high on that one.

I'm serious about that. They really wanted to help. It's a shame it was a lost cause (no fault of their own).

While I was down, the List kept doing its thing even though it had nowhere to go. Glancing over the database, it seems like the other day Southeast Asia had a flashmob on port 8118. What was that all about? Also lots of action in former Soviet bloc countries. What goes around, comes around, tovarisch! And of course port 9415 is still big. I guess the Chinese haven't discovered how to patch software yet.

So I'm this close >< to putting the List back up, but I've got some editing to do to get rid of the "offensive content".

Proxy Obsession is all in one piece but I don't have a place to put it yet, so there's going to be some dead links. I obsessed about which domain to publish the List on for over a week. Back in March I had planned to retire the Hinky Dink brand but that whole deal with Chicago Code's "Bathhouse & Hinky Dink" episode really pissed me off. You spend eight years building your brand and one stupid TV show comes around and hoses your search results forever (for example, try to find the theological meaning of "Will and Grace" with Google some time).

Now it's personal.

For the UT99 crowd, not that they ever bother to show up here, The Map is back up, but it won't be updated for awhile yet.

Sorry about shutting the comments off, but some people don't know how to STFU. All it takes is one shitburger munching retard to ruin things for everyone.

Sunday, May 01, 2011

Ever since the URL shortening services began with tinyurl.com, I've been extremely suspicious of them, probably because back in The Old Days it was a popular way to put up a goatse or a tubgirl link (if you don't know, don't ask) for the newbs. Fortunately, that kind of abuse is A Thing Of The Past now. But... you never know.

Just today, I got somebody else's SPAM in my mailbox (long story—some guy on my ISP thinks my email address is his wife's email address—this has been going on for years). Normally I just delete the shit. Today I was curious, so I dragged the email out of my InBox and onto the desktop and peeked at it with Notepad.

I'm not sure why, but I was quite surprised to find bit.ly links inside the email. There was no way in Hell I was clicking on any of them, so I wrote a tiny kidscript called "debitly" to check them out.

And before you decide to leave a comment to enlighten me, yes, I know you can hover your mouse pointer over a bit.ly link in a browser and get the full URL—this is different. This is HTML I don't want to render in a browser or in an email or anywhere else. It's plainly in ten foot pole territory.

You could tack a "| grep Location:" on the end of that code to lose the headers, but they are there for your enlightenment.

"Joe Blow" is not his real name. And comcrud.net is not the domain, but you get the picture. And if I get into Deep Shit over this, it was Hypponen who Tweeted it in the first place, so don't harass me about it. Keep your fucking Digital Millenium Copyright Act in your pants, OK?

As it turns out, the bit.ly links in the SPAM email were "legitmate". That is to say they pointed to the opt-in SPAM customer's Web site, which is all well and good, but it was a disappointment to find out bit.ly is in the SPAM business, even if it is opt-in SPAM.

Why was I disapppointed? Well, they had a write-up of bit.ly's chief scientist, Hilary Mason, in Scientific American last month and I thought she was cute as Hell. I was smitten, but now I know she's just another Advertising Slut. sigh

But I was pleased to see they were using nginx! That makes a lot of sense if you're throwing out a shitload of 301 redirects 24x7. At least they have good taste in Web servers.

For those who don't know (and you know who you are), I have been professionally involved with proxies of one sort or another for over fifteen years. For the past three years I've taken it upon myself to study the issue of open proxies in depth. I scrape all the well-known proxy lists available on the Web, geolocate the IP addresses and collect the whole mess in a MySQL database.

Besides the well-known lists I have also been lucky enough to have stumbled upon some private, "for pay" proxy lists whose operators didn't know how to write a proper robots.txt file and a handful of hacker and SPAMmer sites that kept their own lists. In fact 20% of the database came from just one of those hacker sites.

On the 19th of April, I published a notice explaining the origin of the ubiquitous port 9415 proxies, which result from insecure default settings in a popular software package with 100,000,000 (one hundred million) active users, most of whom live in China. Someone didn't like that and as a result I'm no longer publishing my results in the venues you were used to finding them. Except for this one, and there's no telling how long it will last.

Why? Here's some Wild Speculation™. You don't have to believe a word of it. It's presented to make you go "hmmm". If you own a tinfoil hat, please put it on now.

There has been a lot of press about cyberwar these days. And a lot of hype. But there have been few skeptics (see this Forbes article for a good dose of cyberskepticism). A lot of the hype could be spin from the HBGary story of earlier this year. Spin in the form of generating fear. We must protect ourselves from the Cyber Boogie Man.

So what, if anything, does this have to do with Chinese proxies? They make an excellent choice for covert false flag operations. A jump point if you need to convince someone (perhaps with budget authority) of the grim reality of an Advanced Persistent Threat.

That's it. At least it makes me go "hmmm". I would think that someone would like to see these proxies disappear, especially the company that wrote the software, unless they're spooks, too.

With that in mind, we're going to track these proxies for the next few months. I have a feeling they will never go away, even though it should be a simple fix for the people who wrote the software. Here are the numbers as I saw them for April, 2011:

As you can see, port 9415 proxies are almost half of all proxies published on proxy lists. For the people who think proxies are a Bad Thing, there you go. Fix these and you cut the problem in half. I'll even let you take all the credit for doing it. You'll be heroes.

My system hung twice at ipv6.cnn.com, so thinking that must've been an IPv6 issue and knowing that CNN has been flaky on IPv6 in the past, I went back to the IPv4 version of CNN and it hung again. Hung tight. No keyboard. No mouse. No network. CPU went to 100% and a crash dump started.

Tight.

That made three strikes for CNN, so I stayed away. Then it happened on another site. Both sites were "Flashy", if you catch my drift, and since Chrome has its own Flash drivers, that seemed a likely reason to suspect Chrome itself.

But then again, I recently updated the drivers for my NVIDIA GeForce 9400 GT vidcard, which is always a crapshoot anyway (BTW, never use the NVIDIA drivers from Windows Update). And of course, like everything else around here, the box is getting old.

I could roll the drivers back and do some investigating but the Lazy Man's way of dealing with this sort of thing is to complain online.